Bug 1849079

Summary: Follow FIPS policy in regards to DH parameters
Product: Red Hat Enterprise Linux 8 Reporter: Alicja Kario <hkario>
Component: gnutlsAssignee: Daiki Ueno <dueno>
Status: CLOSED ERRATA QA Contact: Alexander Sosedkin <asosedki>
Severity: unspecified Docs Contact: Mirek Jahoda <mjahoda>
Priority: high    
Version: ---CC: asosedki, coughlan, jpazdziora, lvrabec, mjahoda
Target Milestone: rcKeywords: Triaged
Target Release: 8.0Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: gnutls-3.6.14-4.el8 Doc Type: Enhancement
Doc Text:
.`gnutls` FIPS DH checks now conform with NIST SP 800-56A rev. 3 This update of the `gnutls` packages provides checks required by NIST Special Publication 800-56A Revision 3, sections 5.7.1.1 and 5.7.1.2, step 2. The change is necessary for future FIPS 140-2 certifications. As a result, `gnutls` now accept only 2048-bit or larger parameters from RFC 7919 and RFC 3526 during the Diffie-Hellman key exchange when operating in FIPS mode.
 Story Points: ---
Clone Of:
: 1868018 (view as bug list) Environment:
Last Closed: 2020-11-04 01:55:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1868018    

Description Alicja Kario 2020-06-19 14:58:30 UTC 
Description of problem:
New FIPS requirements force the clients to accept DH parameters only if they can verify the order of the key-share. In practice that means the clients can accept only parameters from RFC 3526 or RFC 7919 that are 2048 bits or larger.

Version-Release number of selected component (if applicable):
gnutls-3.6.8-10.el8_2

How reproducible:
always

Steps to Reproduce:
1. set system in FIPS mode
2. connect to server that does not use acceptable parameters

Actual results:
connection is successful

Expected results:
connection should be aborted


Additional info:
Comment 1 Alicja Kario 2020-06-19 14:59:58 UTC 
The server shouldn't automatically use parameters outside of those well-known ones.
Comment 14 errata-xmlrpc 2020-11-04 01:55:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (gnutls bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4526